OpenLDAP Client Authentication

OmniOS can be used for OpenLDAP Client Authentication, both as a server and a client. The server stores the Directory Information Tree(DIT), that contains authentication details used by the client server. This guide will demonstrate how to configure both the server and the client.

This guide is a continuation of the OpenLDAP Quick Start Guide and assumes you have completed the tasks outlined in this guide.

Note: that by default, the slapd database grants read access to everybody excepting the super-user (as specified by the rootdn configuration directive). It is highly recommended that you establish controls to restrict access to authorized users. Access controls are discussed in the Access Control chapter of the OpenLDAP Administrator’s Guide. You are also encouraged to read the Security Considerations, Using SASL and Using TLS sections.

Setup OpenLDAP Client Authentication Server

First, let’s do some further configuration on the OpenLDAP server, to allow LDAP Client Authentication.

LDAP Client authentication relies on the nis.schema, which is located under /etc/opt/ooce/openldap/schema/ directory. Further, nis.schema relies on the cosine.schema and inetOrgPerson.schema, therefore these will also be imported as follows:

root@ldap:#  /opt/ooce/bin/ldapadd -D "cn=config" -W -f /etc/opt/ooce/openldap/schema/cosine.ldif
Enter LDAP Password:
adding new entry "cn=cosine,cn=schema,cn=config"

root@ldap:# /opt/ooce/bin/ldapadd -D "cn=config" -W -f /etc/opt/ooce/openldap/schema/inetorgperson.ldif
Enter LDAP Password:
adding new entry "cn=inetorgperson,cn=schema,cn=config"

root@ldap:# /opt/ooce/bin/ldapadd -D "cn=config" -W -f /etc/opt/ooce/openldap/schema/nis.ldif
Enter LDAP Password:
adding new entry "cn=nis,cn=schema,cn=config"

Adding Groups and Users to the system

In order to populate the DIT with users and groups for the client, “Organizational Units”(ou) need to be created to store these. Therefore we create the following “ou”’s, group and user.

Add the Organizational Unit: group

First, create an ldif text file that can be used to import the data into the DIT.

root@ldap:# cat << EOF > ou-group.ldif
dn: ou=group,dc=omnios,dc=org
objectClass: organizationalUnit
ou: group
EOF

This can now be added to the DIT with the ldapadd command as follows:

root@ldap:# /opt/ooce/bin/ldapadd -D "cn=Manager,dc=omnios,dc=org" -W -f ou-group.ldif
Enter LDAP Password:
adding new entry "ou=group,dc=omnios,dc=org"

This ou represents groups for users. The same as what you have with /etc/group with traditional Unix authentication.

Add the Organizational Unit: user

Again, create an ldif text file that can be used to import the data into the DIT.

root@ldap:# cat << EOF > ou-user.ldif
dn: ou=user,dc=omnios,dc=org
objectClass: organizationalUnit
ou: user
EOF

This can now be added to the DIT with the ldapadd command as follows:

root@ldap:# /opt/ooce/bin/ldapadd -D "cn=Manager,dc=omnios,dc=org" -W -f ou-user.ldif
Enter LDAP Password:
adding new entry "ou=user,dc=omnios,dc=org"

This ou represents users that will access systems via OpenLDAP Client Authentication. Again, this is the same as what you have with /etc/passwd with traditional Unix authentication.

Add the other group to the ou=group

Within this organizational unit we will add the first group, other, the same as the default group when setting up a new user on OmniOS.

Again, we follow the standard procedure of creating an ldif text file and then import with ldapadd.

root@ldap:# cat  << EOF > group-other.ldif
dn: cn=other,ou=group,dc=omnios,dc=org
objectClass: posixGroup
cn: other
gidNumber: 1
EOF
root@ldap:# /opt/ooce/bin/ldapadd -D "cn=Manager,dc=omnios,dc=org" -W -f group-other.ldif
Enter LDAP Password:
adding new entry "cn=other,ou=group,dc=omnios,dc=org"

Add a user to the ou=user

Now we will add our first user. This will be the user that we test the LDAP Client Authentication, on the client system.

Again, we follow the standard procedure of creating an ldif text file and then import with ldapadd.

root@ldap:# cat << EOF > user-rigby.ldif
dn: uid=rigby,ou=user,dc=omnios,dc=org
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Rigby
uid: rigby
uidNumber: 101
gidNumber: 1
homeDirectory: /home/rigby/
loginShell: /usr/bin/bash
userPassword: {SSHA}WjKBvaM5QYtyzrpQDs2NHtOTbLwYizxe
EOF
root@ldap:# /opt/ooce/bin/ldapadd -D "cn=Manager,dc=omnios,dc=org" -W -f user-rigby.ldif
Enter LDAP Password:
adding new entry "uid=rigby,ou=user,dc=omnios,dc=org"

This completes the configuration of the OpenLDAP Client Authentication server. OpenLDAP should be running, the DIT is populated, and is now ready to authenticate against clients stored in the DIT.

Setup Client

On a different OmniOS system, I will configure the client. No LDAP software needs to be installed, as OmniOS comes with the ldapclient(1) program that takes care of configuration and authentication.

Allow use of DNS for host lookups in ldap.

By default the nsswitch.ldap file does not permit dns lookups so this needs to be changed before we run the ldapclient command.

Change the following line in /etc/nsswitch.ldap:

hosts:      files ldap

to the following:

hosts:      files dns ldap

Configure ldapclient

The following is sufficient to configure ldapclient to allow authentication with the server, that has been configured previously. The defaultServerList directive should point to a Fully Qualified Domain Name that you manage (e.g. the server that has been configured in the previous section). Consult the manpage for full details of the ldapclient command.

Issue the following command to manually create the configuration for the LDAP client.

root@client:# ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a defaultSearchBase=dc=omnios,dc=org \
-a domainName=omnios.org \
-a defaultServerList=ldap.omnios.org \
-a proxyDN=cn=Manager,dc=omnios,dc=org \
-a proxyPassword=secret \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixgroup \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=shadow:shadowAccount=posixaccount \
-a serviceSearchDescriptor=passwd:ou=user,dc=omnios,dc=org \
-a serviceSearchDescriptor=group:ou=group,dc=omnios,dc=org \
-a serviceSearchDescriptor=shadow:ou=user,dc=omnios,dc=org
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
System successfully configured

On success, this will create two files under /var/ldap/, ldap_client_cred and ldap_client_file. These should not be hand edited, instead all changes should be made with the ldapclient command. However, feel free to browse the contents of these files with cat or your favorite editor.

Update /etc/pam.conf:

One last step is needed, we need to tell the Pluggable Authentication Module (PAM) to allow for client authentication via LDAP. This can be achieved by changing the following line:

login   auth required           pam_unix_auth.so.1

to the following two lines:

login   auth binding            pam_unix_auth.so.1  server_policy
login   auth required           pam_ldap.so.1

Now you have fully configured LDAP Client Authentication for your system that will act as the client. Reboot this system to make sure all changes are in effect.

On reboot, you should now be able to login in with the new user that has been created.

This is demonstrated as follows:

Hostname: client
LDAP domain name is omnios.org

client console login: rigby
Password:
OmniOS r151036  omnios-r151036-4a32ffb911       November 2020
rigby@client:~$

A Note on Error Messages on Reboot

One minor annoyance at the time of writing this is the error message as follows:

Nov 17 13:19:41 svc.startd[44]: libsldap: Status: 2  Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Nov 17 13:19:41 svc.startd[44]: libsldap: Status: 2  Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').

There has been a bug filed for this behaviour https://www.illumos.org/issues/487. Further, under the official Solaris documentation, the advice is to ignore these messages.

Looking forward

You are strongly advised to implement full security before using OpenLDAP Client Authentication in a production system. Access controls are discussed in the Access Control chapter of the OpenLDAP Administrator’s Guide. You are also encouraged to read the Security Considerations, Using SASL and Using TLS sections.